GitHub Gist – Recent Account Takeover Vulnerability Patched

GitHub Gist

A bug bounty hunter has recently earned $55,000 for reporting this exploit with a separate set of RCE flaws. The GitHub security team recently patched an account takeover vulnerability based on the GitHub Gist code-sharing service, earning its finder a $10,000 reward.

GitHub Gist allows developers to instantly share code snippets through either private or public repositories. On October 19, William “vakzz” Bowling released a GitHub security advisory – one of three – which disclosed a severe bug exposing separate ‘gists’ due to various open redirect errors.

Read More: Cybersecurity teams opt for smart work over hard work

As Gist and GitHub use various session tokens, it was the only access to Gist that was granted.

Source: portswigger